Qualys: Cloud Security Must Move Towards ‘Transparent Orchestration’

What does the “My Little Pony” television series and cyber security have in common? Ask Qualys Chief Product Officer Sumedh Thakar.

Whenever his 7-year old daughter wanted to see an episode of this show, the process involved multiple steps: Turning on the smart TV, scrolling through the app menu, picking Netflix, searching for “My Little Pony,” navigating the seasons and list of episodes, and finally clicking on the one she wanted to watch.

But that process became a thing of the past at Thakar’s house after he got a Google Home smart speaker and home assistant, and linked it up with his smart TV. Now all his daughter needs to do is tell Google Home to play her favorite show on the living room TV, and all the steps are carried out in an automated, seamless way, without anyone even having to grab the TV remote control.

“That’s transparent,” Thakar said on Monday during his keynote speech at the Cloud Security Alliance (CSA) Summit being held at the RSA Conference in San Francisco.

Transparency

That’s the direction in which Thakar wants security to move: Simplifying security by eliminating friction and making it as intuitive and automated as possible for end users, a goal he calls “transparent orchestration.”

“Today, for all of those organizations using traditional security solutions, especially SIEM tools, life’s anything but transparent,” he said.

It’s a vision of the future that’s guiding Qualys and other cloud computing leaders. Fortunately, those efforts are starting to bear fruit as customers’ moves of infrastructure to the cloud are increasingly facilitated with cloud automation and orchestration.

Thakar sees evidence of that, for example, in Microsoft’s Azure Security Center, which automates security configuration steps for users, guiding and helping them find and install third-party modules for tasks such as vulnerability management.

“The end user doesn’t need to know how it gets installed, or how (vulnerability) information gets in there,” he said.

However, once the customer checks his Azure Security Center console again, the vulnerability information is all there, showing the biggest findings for that host, without having to deal with any of the backend processes involved.

“It’s all orchestrated between the cloud platform provider and the security vendor to give the customer that visibility at their fingertips,” he said.

Security Automation & Orchestration

A major benefit of security automation and orchestration is the ability to aggregate and consolidate a variety of information from multiple sources in a single console. That way, customers can easily see their security and compliance posture at a glance in one place, as is possible today with the Qualys Cloud Platform.

“The great thing about the cloud is that you have this notion of applications so that you can see how everything is connected with everything, which is really hard in a traditional data center space,” he said.

With all the security and compliance information at their fingertips, and with the ability to drill down into details on an ad hoc basis from a central console, customers can make better and faster decisions to protect their IT environments.

To further illustrate his vision, Thakar showed a video of an app Qualys is testing that will let customers obtain information about their Qualys data by giving voice commands on a mobile phone to Google Assistant.

The video shows Thakar asking Google Assistant to query Qualys Cloud Support, and then he voices a series of questions to which he receives immediate answers, including:

“How many cloud accounts do I have?”

“You have 15 accounts in AWS, 5 accounts in Azure and 1 account in Google Cloud.”

“How many resources do I have in AWS?”

“You have 16,283 resources in your AWS accounts.”

As Thakar drills down with increasingly specific questions on problem areas, he ends the Google Assistant session by instructing Qualys Cloud Support to “post the control failures to the SOC Slack channel,” a command that’s immediately acted upon.

Thakar was preceded on stage by Qualys CEO Philippe Courtot. Showing a photo of himself speaking at the RSA Conference in 2009, Courtot reminded CSA Summit attendees that it wasn’t that long ago that the naysayers outnumbered cloud security proponents.

“There I was trying to explain to the audience that in fact we needed to rethink security, and not very successfully. I felt like Galileo trying to convince the Catholic Church that the Sun was not orbiting around the Earth,” Courtot said.

That same year – 2009 – was when the CSA was born, with financial support from a few cloud security vendors, including Qualys, to promote best practices for cloud security. Since then, the CSA has provided important thought leadership and guidance, and has grown to have more than 100 charters and 80,000-plus security expert members around the globe.

CIO/CISO Interchange

Courtot announced the launch of theCIO/CISO Interchange, whose mission is to be a vendor-neutral, open forum for discussions, debates and exchanges between CIOs, CTOs and CISOs centered around securing organizations’ digital transformations.

Security must be re-invented in order to provide the proper protection for digital transformation efforts, he stressed. This can’t be accomplished by continuing to layer on an ever increasing number of security and compliance solutions, but by building security into digital transformation, Courtot said, as he listed five key tenets for the future of security: visibility, accuracy, scale, immediacy and transparent orchestration.

The CIO/CISO Interchange inaugural event, titled “Building security into the digital transformation — not bolting it on,” will be held today in San Francisco. Courtot and the CSA are the co-founders of the CIO/CISO Interchange, which is a non-profit organization.

“We’ll go around the world, with small conferences, city by city, a totally global initiative,” Courtot said. “I’m very excited about this.”